diff options
Diffstat (limited to 'meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch')
-rw-r--r-- | meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch new file mode 100644 index 0000000000..fd26fdd833 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Thu, 25 Jul 2019 20:43:17 -0700 | ||
4 | Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central | ||
5 | directory. | ||
6 | |||
7 | There is a zip-like file in the Firefox distribution, omni.ja, | ||
8 | which is a zip container with the central directory placed at the | ||
9 | start of the file instead of after the local entries as required | ||
10 | by the zip standard. This commit marks the actual location of the | ||
11 | central directory, as well as the end of central directory records, | ||
12 | as disallowed locations. This now permits such containers to not | ||
13 | raise a zip bomb alert, where in fact there are no overlaps. | ||
14 | |||
15 | CVE: CVE-2019-13232 | ||
16 | Upstream-Status: Backport | ||
17 | [https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc] | ||
18 | |||
19 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
20 | --- | ||
21 | extract.c | 25 +++++++++++++++++++------ | ||
22 | process.c | 6 ++++++ | ||
23 | unzpriv.h | 10 ++++++++++ | ||
24 | 3 files changed, 35 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/extract.c b/extract.c | ||
27 | index 2bb72ba..a9dcca8 100644 | ||
28 | --- a/extract.c | ||
29 | +++ b/extract.c | ||
30 | @@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ | ||
31 | } | ||
32 | #endif /* !SFX || SFX_EXDIR */ | ||
33 | |||
34 | - /* One more: initialize cover structure for bomb detection. Start with a | ||
35 | - span that covers the central directory though the end of the file. */ | ||
36 | + /* One more: initialize cover structure for bomb detection. Start with | ||
37 | + spans that cover any extra bytes at the start, the central directory, | ||
38 | + the end of central directory record (including the Zip64 end of central | ||
39 | + directory locator, if present), and the Zip64 end of central directory | ||
40 | + record, if present. */ | ||
41 | if (G.cover == NULL) { | ||
42 | G.cover = malloc(sizeof(cover_t)); | ||
43 | if (G.cover == NULL) { | ||
44 | @@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ | ||
45 | ((cover_t *)G.cover)->max = 0; | ||
46 | } | ||
47 | ((cover_t *)G.cover)->num = 0; | ||
48 | - if ((G.extra_bytes != 0 && | ||
49 | - cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || | ||
50 | - cover_add((cover_t *)G.cover, | ||
51 | + if (cover_add((cover_t *)G.cover, | ||
52 | G.extra_bytes + G.ecrec.offset_start_central_directory, | ||
53 | - G.ziplen) != 0) { | ||
54 | + G.extra_bytes + G.ecrec.offset_start_central_directory + | ||
55 | + G.ecrec.size_central_directory) != 0) { | ||
56 | Info(slide, 0x401, ((char *)slide, | ||
57 | LoadFarString(NotEnoughMemCover))); | ||
58 | return PK_MEM; | ||
59 | } | ||
60 | + if ((G.extra_bytes != 0 && | ||
61 | + cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || | ||
62 | + (G.ecrec.have_ecr64 && | ||
63 | + cover_add((cover_t *)G.cover, G.ecrec.ec64_start, | ||
64 | + G.ecrec.ec64_end) != 0) || | ||
65 | + cover_add((cover_t *)G.cover, G.ecrec.ec_start, | ||
66 | + G.ecrec.ec_end) != 0) { | ||
67 | + Info(slide, 0x401, ((char *)slide, | ||
68 | + LoadFarString(OverlappedComponents))); | ||
69 | + return PK_BOMB; | ||
70 | + } | ||
71 | |||
72 | /*--------------------------------------------------------------------------- | ||
73 | The basic idea of this function is as follows. Since the central di- | ||
74 | diff --git a/process.c b/process.c | ||
75 | index 208619c..5f8f6c6 100644 | ||
76 | --- a/process.c | ||
77 | +++ b/process.c | ||
78 | @@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ | ||
79 | |||
80 | /* Now, we are (almost) sure that we have a Zip64 archive. */ | ||
81 | G.ecrec.have_ecr64 = 1; | ||
82 | + G.ecrec.ec_start -= ECLOC64_SIZE+4; | ||
83 | + G.ecrec.ec64_start = ecrec64_start_offset; | ||
84 | + G.ecrec.ec64_end = ecrec64_start_offset + | ||
85 | + 12 + makeint64(&byterec[ECREC64_LENGTH]); | ||
86 | |||
87 | /* Update the "end-of-central-dir offset" for later checks. */ | ||
88 | G.real_ecrec_offset = ecrec64_start_offset; | ||
89 | @@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ | ||
90 | makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); | ||
91 | G.ecrec.zipfile_comment_length = | ||
92 | makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); | ||
93 | + G.ecrec.ec_start = G.real_ecrec_offset; | ||
94 | + G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; | ||
95 | |||
96 | /* Now, we have to read the archive comment, BEFORE the file pointer | ||
97 | is moved away backwards to seek for a Zip64 ECLOC64 structure. | ||
98 | diff --git a/unzpriv.h b/unzpriv.h | ||
99 | index c8d3eab..5e177c7 100644 | ||
100 | --- a/unzpriv.h | ||
101 | +++ b/unzpriv.h | ||
102 | @@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { | ||
103 | int have_ecr64; /* valid Zip64 ecdir-record exists */ | ||
104 | int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ | ||
105 | ush zipfile_comment_length; | ||
106 | + zusz_t ec_start, ec_end; /* offsets of start and end of the | ||
107 | + end of central directory record, | ||
108 | + including if present the Zip64 | ||
109 | + end of central directory locator, | ||
110 | + which immediately precedes the | ||
111 | + end of central directory record */ | ||
112 | + zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these | ||
113 | + are the offsets of the start and | ||
114 | + end of the Zip64 end of central | ||
115 | + directory record */ | ||
116 | } ecdir_rec; | ||
117 | |||
118 | |||
119 | -- | ||
120 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
121 | |||